Modernize all dependencies for PHP 8.4+

[mambax7]

Summary by CodeRabbit

• Chores

  • PHP minimum requirement raised to 8.4 and package type changed to a metapackage.
  • Dependency set modernized and realigned for newer Symfony/components and tooling.
  • Explicit incompatibility added for Smarty 5.0+.

• New Features

  • Enables modern libraries for PDF generation, QR codes, email, debugging and asset processing (new contemporary packages added).

[Copilot]

Pull Request Overview

This PR updates the minimum PHP version requirement from PHP 7.1+ to PHP 8.2+ and comprehensively updates all Composer dependencies to their latest compatible versions.

Key changes:

• Bumps minimum PHP version from >7.1 to >8.2
• Updates multiple major dependencies (Doctrine DBAL 2.9 → 4.2, Smarty 3.1 → 4.1, etc.)
• Reorganizes dependency declarations alphabetically for better maintainability

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[coderabbitai]

📝 Walkthrough

Walkthrough

composer.json converted to a metapackage and requires PHP ^8.4; many legacy dependencies removed or replaced, numerous new/updated runtime and Symfony-related packages added, and a conflict rule for smarty/smarty >=5.0 was introduced. (47 words)

Changes

Cohort / File(s)	Summary
Composer manifest composer.json	Type changed from project → metapackage; PHP requirement raised to ^8.4; legacy dependencies removed; new runtime extensions added (ext-mbstring, ext-pcre, ext-session); large dependency overhaul adding modern libraries (doctrine/dbal ^4.3.2, monolog/monolog, psr/log ^2

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇✨ I nibble on composer seeds anew,
PHP eight‑four sprouts bright and true,
Old bundles cleared, fresh packages in sight,
A metapackage hop into the light,
Dependencies dance — I twitch with delight! 🎶

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: modernizing and updating dependencies to support PHP 8.4+, which is the primary focus of the composer.json modifications.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

No actionable comments were generated in the recent review. 🎉

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@composer.json`:
- Around line 4-7: The composer.json currently advertises and requires PHP 8.4
("description": "Primary dependencies for XOOPS/XoopsCore (PHP 8.4+)" and the
"php" entry under "require" set to "^8.4"); confirm whether the project target
is PHP 8.2+ and if so update the "php" requirement from "^8.4" to the intended
floor (e.g. "^8.2") and adjust the "description" text to "PHP 8.2+" so the
manifest and messaging align; if 8.4 is intentional, confirm the PR objective
and keep as-is.

🧹 Nitpick comments (1)

composer.json (1)

43-44: Conflict rule is likely redundant with the hard require.

Since smarty/smarty is already pinned to ^4.5.6, the >=5.0 conflict doesn’t change resolution. Consider dropping it unless you anticipate loosening the requirement soon.

♻️ Optional simplification

-    "conflict": {
-        "smarty/smarty": ">=5.0"
-    }
+    "conflict": {}

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Confirm intended PHP floor (8.4 vs PR objective “8.2+”).

The PR objective says PHP 8.2+, but the manifest now requires ^8.4 and advertises PHP 8.4+. If that higher floor isn’t intentional, it will exclude 8.2/8.3 users.

✅ Possible alignment (if 8.2+ is intended)

-    "description": "Primary dependencies for XOOPS/XoopsCore (PHP 8.4+)",
+    "description": "Primary dependencies for XOOPS/XoopsCore (PHP 8.2+)",
...
-        "php": "^8.4",
+        "php": "^8.2",

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"type": "metapackage",
	"description": "Primary dependencies for XOOPS/XoopsCore (PHP 8.4+)",
	"require": {
	"php": ">7.1",
	"php": "^8.4",
	"type": "metapackage",
	"description": "Primary dependencies for XOOPS/XoopsCore (PHP 8.2+)",
	"require": {
	"php": "^8.2",

🤖 Prompt for AI Agents

In `@composer.json` around lines 4 - 7, The composer.json currently advertises and
requires PHP 8.4 ("description": "Primary dependencies for XOOPS/XoopsCore (PHP
8.4+)" and the "php" entry under "require" set to "^8.4"); confirm whether the
project target is PHP 8.2+ and if so update the "php" requirement from "^8.4" to
the intended floor (e.g. "^8.2") and adjust the "description" text to "PHP 8.2+"
so the manifest and messaging align; if 8.4 is intentional, confirm the PR
objective and keep as-is.

[mambax7]

PHP 8.4 is intentional. The PR title is outdated from an earlier iteration — updating it now to "composer updates PHP 8.4+".

The ^8.4 floor is required because:

• endroid/qr-code ^6.0.9 requires PHP 8.4+ (v5.x has implicit-nullable deprecation warnings on 8.4)
• Several other package upgrades (league/container, scssphp, wikimedia/less.php) were specifically chosen for their PHP 8.4 implicit-nullable fixes
• The project goal is to use PHP 8.4 as the new minimum, then fix XOOPS core code against it

Dropping to ^8.2 would force downgrading endroid/qr-code and leave deprecation warnings in several other packages. Keeping as-is.

[coderabbitai]

🧩 Analysis chain

🌐 Web query:

endroid qr-code version 6.0.9 PHP requirements

💡 Result:

For endroid/qr-code v6.0.9, you need PHP 8.2+ (v6 dropped PHP 8.1). [1][2]

Note: newer 6.1.x releases require PHP ^8.4, so if you’re on PHP 8.2/8.3 you’ll want to pin to 6.0.x (e.g., 6.0.9). [3]

Sources: [1] [2] [3]

---

🌐 Web query:

endroid qr-code version 6.1 PHP requirements

💡 Result:

For endroid/qr-code v6.1.x, Composer requires:

• PHP: ^8.4 (PHP 8.4+)
• Dependency: bacon/bacon-qr-code ^3.0 [1]

Common optional requirements (depending on what you use):

• ext-gd (to write PNG images)
• khanamiryan/qrcode-detector-decoder (image validation)
• setasign/fpdf (PDF writer) [1]

Sources: [1]

---

@mambax7, thank you for the clarification! That makes perfect sense.

I can confirm that endroid/qr-code ^6.0.9 will indeed pull in 6.1.x versions (which require PHP 8.4+), so the ^8.4 floor is correctly aligned with your dependency constraints. Your reasoning about avoiding implicit-nullable deprecation warnings by targeting PHP 8.4 across the dependency chain is sound.

Appreciate the update to the PR title to reflect the actual intent!

---

✏️ Learnings added

Learnt from: mambax7
Repo: XOOPS/base-requires PR: 50
File: composer.json:4-7
Timestamp: 2026-02-09T08:48:18.320Z
Learning: The XOOPS/XoopsCore project (in xoops/base-requires) is targeting PHP 8.4+ as the new minimum version to avoid implicit-nullable deprecation warnings and ensure compatibility with modern dependency versions.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[mambax7]

Addressing CodeRabbit review feedback

Smarty conflict rule ("smarty/smarty": ">=5.0")

Keeping this intentionally. The ^4.5.6 constraint prevents Smarty 5 today, but the conflict rule serves as an explicit safety guardrail and documents that Smarty 5 migration is deliberately deferred. This is a common pattern in metapackages — when we eventually loosen the Smarty constraint (e.g., ^4.5.6 || ^5.0), the conflict rule will need to be consciously removed, preventing accidental upgrades. It costs nothing and adds clarity.

Removing it to get an empty "conflict": {} block as suggested adds no value.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@composer.json`:
- Line 29: The dependency "ptachoire/cssembed" in composer.json is unmaintained;
remove it and replace with an actively maintained alternative (e.g.,
sabberworm/php-css-parser or another modern CSS minifier/parser) by updating
composer.json to require the new package, running composer update, and changing
any code that references ptachoire/cssembed to the new library's API (search for
usages of "ptachoire/cssembed" or classes/functions from that package and adapt
them to the replacement's class/method names); run the test suite and static
analysis to ensure PHP 8.4 compatibility and adjust code where APIs differ.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check ptachoire/cssembed package info
curl -s https://repo.packagist.org/p2/ptachoire/cssembed.json | jq '.packages["ptachoire/cssembed"][0:3] | .[] | {version, require, time}'

Repository: XOOPS/base-requires

Length of output: 336

---

Consider replacing ptachoire/cssembed with an actively maintained alternative.

This package was last updated in 2013 and specifies only php >= 5.3.0, with no explicit support for PHP 8.4. Using an unmaintained dependency poses compatibility and security risks.

🤖 Prompt for AI Agents

In `@composer.json` at line 29, The dependency "ptachoire/cssembed" in
composer.json is unmaintained; remove it and replace with an actively maintained
alternative (e.g., sabberworm/php-css-parser or another modern CSS
minifier/parser) by updating composer.json to require the new package, running
composer update, and changing any code that references ptachoire/cssembed to the
new library's API (search for usages of "ptachoire/cssembed" or
classes/functions from that package and adapt them to the replacement's
class/method names); run the test suite and static analysis to ensure PHP 8.4
compatibility and adjust code where APIs differ.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Composer package names are normalized to lowercase; using "ext-PDO" is inconsistent with the other ext-* requirements (e.g., ext-json/ext-mbstring) and can be confusing. Consider renaming it to "ext-pdo" for consistency and to match Composer docs.

[Copilot]

The requirements include both "ext-mbstring" and "symfony/polyfill-mbstring". If mbstring is mandatory (as implied by ext-mbstring), the polyfill is redundant; if mbstring should be optional, consider dropping the ext-mbstring requirement and relying on the polyfill (or documenting why both are needed).